gre over ipsec with ospf

 

 

（一）

<AR3> 配置如下：
#
router id 1.1.1.1

#
acl number 3000
rule 0 permit ip source 222.23.23.3 0 destination 222.14.14.4 0 //保护流的源和目的地址是公网地址

#
ipsec proposal de
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 5
encryption-algorithm aes-cbc-128
dh group14
#
ike peer right v1
exchange-mode aggressive
pre-shared-key cipher %$%$/cYo-IX<S*+n:%KSBbkS,.2n%$%$
ike-proposal 5
local-id-type name
local-address 222.23.23.3
remote-address 222.14.14.4
#
ipsec policy right 10 isakmp
security acl 3000
ike-peer right
proposal de
#
interface GigabitEthernet0/0/0 //公网接口
ip address 222.23.23.3 255.255.255.0
ipsec policy right
#
interface GigabitEthernet0/0/1 //内网接口
ip address 172.30.1.1 255.255.255.252
#
interface GigabitEthernet0/0/2

#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255

#
interface Tunnel0/0/0
ip address 10.10.10.1 255.255.255.0
tunnel-protocol gre
source GigabitEthernet0/0/0
destination 222.14.14.4

#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.10.10.0 0.0.0.255

#
ip route-static 0.0.0.0 0.0.0.0 222.23.23.2
#

<LSW1>配置如下：

vlan batch 2 to 3
#
interface Vlanif1
#
interface Vlanif2
ip address 172.30.1.2 255.255.255.252
#
interface Vlanif3
ip address 192.168.100.254 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 2
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 3
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 3
#
ip route-static 192.168.50.0 255.255.255.0 172.30.1.1
#
port-group computers
group-member GigabitEthernet0/0/2
group-member GigabitEthernet0/0/3
#
return
<LSW1>

此时，能做的事情是：

 

 

（二）

下一步，在AR3和AR4的ospf area 0中分别加入：

network 172.30.1.0 0.0.0.3

network 172.20.1.0 0.0.0.3

能做的事情是：

 

 

 

（三） 

在AR3上加一条静态路由，作上标记。

ip route-static 192.168.100.0 255.255.255.0 172.30.1.2 tag 100

#
route-policy rs100 permit node 10
if-match tag 100

引入ospf中

ospf 1
  import-route static route-policy rs100
  area 0.0.0.0
    network 1.1.1.1 0.0.0.0
    network 10.10.10.0 0.0.0.255
    network 172.30.1.0 0.0.0.3

在AR4上做类似的事情。

 

能做的事情是：

 

 

 

 

先ospf建立邻居什么的，走到tunnel口，处理一番后，走静态默认路由？，然后走到物理口，做ipsec处理？再发出去？

参考：https://support.huawei.com/hedex/hdx.do?docid=EDOC1100007338&lang=zh

https://files.cnblogs.com/files/JCSU/greoveripsecwithospf.rar?t=1649174064